Log Types: GauntletFirewallLog
- Leigh Purdie (Unlicensed)
Overview
Gauntlet firewall is a stateful packet inspection and filtering engine.
Collection
Gauntlet Firewall logs can be transferred to the directory /data/SnareCollect/GauntletFirewallLog/ via FTP using the user 'snarexfer'. Logs will be processed daily, at around midnight.
Content is assumed to be in ASCII format, and values are space separated.
Sample Events
tcp-7136[1501]: [ID 702911 daemon.notice] permit destination 203.8.243.174/7136 ID=1501389465tcp-7136[1501]: [ID 702911 daemon.notice] permit host=nodnsquery/10.16.5.22 use of proxy ID=1501389465postfix/smtp[20787]: [ID 197553 mail.info] 41FF545909: to=<tony.phillips@myorg.gov.au>, relay=sheriff.myorg.gov[10.16.3.75], delay=1, status=sent (250 ok 1062858444 qp 15557)gfw: [ID 702911 kern.info] securityalert: udp if=qfe0 from 233.8.243.247:1455 to 15.255.255.255 on unserved port 41508
Fields
Field | Description |
|---|---|
DATE | Event date, in the format YYYY-MM-DD |
TIME | Event time, in the format HH:MM:SS |
SYSTEM | The source system |
TABLE | GauntletFirewallLog |
CRITICALITY | The importance that the gauntlet firewall associates with this event |
PROXY | Â |
ACTION | What action has been taken by the firewall for this event |
SRCADDR | Source IP address |
SRCPORT | Source port |
DSTADDR | Destination IP address |
DSTPORT | Destination Port |
PROTO | Protocol |
STRING | Any other content that does not fit into other fields |
Notes
-